Managing edge certificates
IBM Cloud® Internet Services offers three types of edge certificates: Universal, Advanced, and Custom.
Universal certificates
By default, CIS issues free, unshared, publicly trusted SSL certificates to all domains added on CIS. For these Universal certificates, CIS controls the validity periods and certificate authorities (CAs), making sure that renewals always occur. Universal certificates that are issued by Let's Encrypt or Google Trust Services have a 90-day validity period.
CIS can change the CA of Universal certificates without prior notice, and will not notify you of these changes. If you prefer to select your own issuing certificate authority, order an advanced certificate.
Advanced certificates
Advanced certificates offer a flexible and customizable way to issue and manage certificates. Use advanced certificates when you want something more customizable than Universal SSL but still want the convenience of SSL certificate issuance and renewal.
Advanced certificates are ordered directly through CIS.
Certificate validity and renewal periods for Universal and Advanced certificates
Universal certificates are always valid for 90 days and are renewed automatically 30 days before expiration.
By using Advanced certificates, you can select the validity and auto-renewal dates as shown in the following table.
| Certificate validity period | Auto renewal period | Details |
|---|---|---|
| 3 months | 30 days | |
| 1 month | 7 days | Not supported by Let's Encrypt |
| 2 weeks | 3 days | Not supported by Let's Encrypt |
Renewal periods are automated on the back end, and are not customizable.
Backup certificates
If CIS is providing authoritative DNS for your domain, CIS will issue a backup Universal SSL certificate for every standard Universal certificate issued.
Backup certificates are wrapped with a different private key and issued from a different Certificate Authority — either Google Trust Services, Let’s Encrypt, Sectigo, or SSL.com — than your domain’s primary Universal SSL certificate.
These backup certificates are not normally deployed, but they will be deployed automatically by CIS in the event of a certificate revocation or key compromise.
Custom certificates
Custom certificates are for customers who want to use their own SSL certificates. You upload these certificates to CIS.
Unlike Universal or Advanced certificates, CIS does not manage the issuance or renewal for custom certificates. You are responsible for uploading, updating, and tracking the expiration dates of your custom certificates.
Failure to renew and certificate replacement
For certificates managed by CIS, renewal attempts begin at the auto renewal period and continue until 24 hours before the expiration. If a certificate fails to renew and another valid certificate exists for the hostname, CIS deploys the valid certificate within these last 24 hours.
CAA records
A Certificate Authority Authorization (CAA) DNS record specifies which certificate authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization.
The following table lists the CAA record content for each CA:
| Certificate authority | CAA record content |
|---|---|
| Let's Encrypt | letsencrypt.org |
| Google Trust Services | pki.goog; cansignhttpexchanges=yes |
| SSL.com | ssl.com |
| DigiCert | digicert.com; cansignhttpexchanges=yes |
| Sectigo | sectigo.com |
Certificate statuses
Each certificate status describes where in the issuance process you are, and can vary depending on the type of certificate.
New certificate statuses
When you order a new certificate, whether it's an edge certificate or a certificate that is used for a custom hostname, its status moves through various stages as it progresses to the global network.
- Initializing
- Pending Validation
- Pending Issuance
- Pending Deployment
- Active
After you issue a certificate, it moves to Pending Validation, and changes to Active after the validation is completed. If you see any errors, you might need to take more actions to validate the certificate.
If you deactivate a certificate, it moves to Deactivating and then Inactive status.
Custom certificate statuses
When you use a custom certificate and your zone status is Pending or Moved, your certificate might have a status of Holding Deployment.
When your zone becomes active, your custom certificate deploys automatically and changes to an Active status. However, if your zone is already active when you upload a custom certificate, you do not see this status.
Staging certificate statuses
When you create certificates in your staging environment, those staging certificates have their own set of statuses.
- Staging deployment: Similar to Pending Deployment, but for staging certificates.
- Staging active: Similar to Active, but for staging certificates.
- Deactivating: Your staging certificate is in the process of becoming Inactive.
- Inactive: Your staging certificate is not at the edge, but you can deploy it if needed.
Client certificate statuses
When you use client certificates, those client certificates have their own set of statuses:
- Active: The client certificate is active.
- Revoked: The client certificate is revoked.
- Pending Reactivation: The client certificate was revoked, but is being restored.
- Pending Revocation: The client certificate was active, but is being revoked.